GDPR Article 25

Article 25 of the General Data Protection Regulation (GDPR) communicates requirements for data privacy by design and data privacy by default.

Data privacy by design means that appropriate organizational and technical measures to ensure personal data security and privacy are embedded into the complete lifecycle of an organization’s products, services, applications, and business and technical procedures. Technical measures can include, but are not limited to, pseudonymization and data minimization.

Data privacy by default means that (a) only necessary personal data is collected, stored, or processed and (b) personal data is not accessible to an indefinite number of people.

Article 25 also specifies that an approved certification, as specified in Article 42, may be used to demonstrate compliance with the privacy by design and privacy by default requirements. [1]

Compliance Description

Article 25 conveys the key principles—privacy by design and privacy by default—underlying the entire GDPR. For example:

Article 5 (1) requires that data processing be limited to what is necessary given the purpose for which the data is initially collected (privacy by design) and be limited to those who need to access the data (privacy by default).

Although pseudonymization and data minimization are required technical measures, Article 25 gives Data Controllers flexibility in determining which additional technical measures best ensure data security and privacy. When selecting a measure, the Data Controller must document an evaluation of the measure along four criteria:

State of the Art: An evaluation of the latest and most advanced data security and privacy enhancement tools available. For example, some newer technologies are behavior analytics that profile normal behavior patterns and trigger alerts when a divergence occurs, privileged user monitoring that checks user activities and blocks access to data if necessary, and Format Preserving Encryption (FPE) that encrypts data employing the existing database format.

Processing Profile: An evaluation of the nature, scope, context, and purposes of the data processing.

Risk Profile: An evaluation of the likelihood and severity of risks to the rights and freedoms of natural person when processing personal data. Risks include “accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processes.” Conducting a risk assessment is best done with a Privacy Impact Assessment (PIA), as specified in Article 35 of the GPDR.

Cost: An evaluation of the cost of implementation relative to the risk profile.

Data privacy by design ensures that privacy is built into products, services, application, business and technical processes. Data privacy by default protects a natural person’s fundamental rights and freedom to protection of their personal data.

Implementing data privacy by design and default guarantees, at a minimum, that:

Only personal data necessary for a specific purpose is collected.

Only data relevant to the original data collection purpose can be processed.

Data that is no longer needed must be deleted.

Natural persons can opt in or opt out of any collection, storage, processing, or deletion of their personal data.

Compliance Methods

Complying with Article 25 requires both organizational and technology strategies.

Organizational Strategies

A few organizational strategies are:

Not copying production databases for development, testing, or analytics purposes. Instead the data should be anonymized or pseudonymized.

Not storing spreadsheets and other data sources in a local folder or to a SaaS application such as Box, Dropbox, Google Drive, or OneDrive.

Limiting email archive access to a limited number of privileged users and monitoring their activity.